Merge branch 'saml-username-max-length' into 'master'

Trim long usernames from SAML See merge request !354

Merge branch 'saml-username-max-length' into 'master'
Trim long usernames from SAML See merge request !354
4d63a446 · Dudás Ádám · f179463d · 7a09c4a7 · 4d63a446 · 4d63a446
Commit 4d63a446 authored Sep 09, 2015 by Dudás Ádám
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 1 deletions

circle/circle/settings/base.py
+2 -0

circle/circle/settings/test.py
+2 -0

circle/common/backends.py
+18 -1

No files found.
--- a/circle/circle/settings/base.py
+++ b/circle/circle/settings/base.py
@@ -505,6 +505,8 @@ if get_env_variable('DJANGO_SAML', 'FALSE') == 'TRUE':
    if get_env_variable('DJANGO_SAML_ORG_ID_ATTRIBUTE', False) is not False:
        SAML_ORG_ID_ATTRIBUTE = get_env_variable(
            'DJANGO_SAML_ORG_ID_ATTRIBUTE')
+    SAML_MAIN_ATTRIBUTE_MAX_LENGTH = int(get_env_variable(
+        "DJANGO_SAML_MAIN_ATTRIBUTE_MAX_LENGTH", 0))

 LOGIN_REDIRECT_URL = "/"


--- a/circle/circle/settings/test.py
+++ b/circle/circle/settings/test.py
@@ -71,3 +71,5 @@ STORE_URL = ""

 # buildbot doesn't love pipeline
 STATICFILES_STORAGE = 'django.contrib.staticfiles.storage.StaticFilesStorage'
+
+SAML_MAIN_ATTRIBUTE_MAX_LENGTH=0  # doctest on SAML2 backend runs either way
--- a/circle/common/backends.py
+++ b/circle/common/backends.py
@@ -17,9 +17,14 @@
 # with CIRCLE.  If not, see <http://www.gnu.org/licenses/>.

 import re
+import logging
+import sha

+from django.conf import settings
 from djangosaml2.backends import Saml2Backend as Saml2BackendBase

+logger = logging.getLogger(__name__)
+

 class Saml2Backend(Saml2BackendBase):
    u"""
@@ -41,7 +46,19 @@ class Saml2Backend(Saml2BackendBase):
        if isinstance(main_attribute, str):
            main_attribute = main_attribute.decode('UTF-8')
        assert isinstance(main_attribute, unicode)
-        return re.sub(r'[^\w.@-]', replace, main_attribute)
+        attr = re.sub(r'[^\w.@-]', replace, main_attribute)
+        max_length = settings.SAML_MAIN_ATTRIBUTE_MAX_LENGTH
+        if max_length > 0 and len(attr) > max_length:
+            logger.info("Main attribute '%s' is too long." % attr)
+            hashed = sha.new(attr).hexdigest()
+            if "@" in attr:
+                domain = attr.rsplit("@", 1)[1]
+                attr = "%s@%s" % (hashed[:max_length-1-len(domain)],
+                                  domain)
+            else:
+                attr = hashed[:max_length]
+            logger.info("New main attribute: %s" % attr)
+        return attr

    def _set_attribute(self, obj, attr, value):
        if attr == 'username':